Invention selectively enables usage of services and communication conduits in a computer network, wherein the enablement is contingent on usage conditions, resulting in containment of the spread of unauthorized activity within a networked computer system and limiting the scope of results when an element becomes part of a hostile execution environment. Instead of protecting individual networked elements from a potentially hostile execution environment, the elements' usage of the networked environment is restricted to the extent of selectively allowing usage of needed resources explicitly authorized for use by such elements.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method to be executed by a processor within a network having a client, comprising: intercepting a connection request within the network, wherein the connection request is initiated from the client to establish a communication conduit between the client and a server in order to access a specific service on the server; identifying the communication conduit corresponding to the client, the server, and the specific service; identifying one or more usage conditions associated with the communication conduit, wherein the one or more usage conditions are defined to permit conditional use of the communication conduit by the client; and determining whether the one or more usage conditions permit the connection request to be sent to the server, and wherein one of the one or more usage conditions that would permit the connection request to be sent includes a persistent usage condition in which the communication conduit was previously authorized and a designated time interval for the persistent usage condition has not lapsed.
2. The method of claim 1 , further comprising the step of forwarding the connection request to the server over the communication conduit when the one or more usage conditions are met.
3. The method of claim 2 , wherein the identifying the communication conduit comprises identifying a first network address of the server, a second network address of the client, a port number of the communication conduit, and the specific service associated with the port number.
4. The method of claim 3 , further comprising the step of sending a plurality of DHCP reply messages for binding a first address of a first host to a second address of a second host, the plurality of DHCP reply messages sent to a third host, the server residing on the first host, and the client residing on the third host.
5. The method of claim 2 , wherein the determining step comprises (a) obtaining a confirmation from a human, and (b) determining whether the communication conduit was used by the client prior to the client's sending the connection request.
6. The method of claim 2 , wherein the determining step comprises obtaining a confirmation from a human, wherein the human (a) is associated with the client or (b) has administrative privilege.
7. The method of claim 2 , wherein the determining step comprises (a) determining whether the client used the communication conduit at any time prior to the client's sending the connection request, (b) determining whether the client used the communication conduit within a specific time-window prior to the client's sending the connection request, or (c) determining whether the client used the communication conduit within a pre-determined context prior to the client's sending the connection request, wherein the pre-determined context comprises a TCP connection or a session.
8. The method of claim 2 , wherein the determining step comprises determining whether a configuration of the client comprises one or more pre-determined data.
9. The method of claim 2 , wherein the determining step comprises determining whether a repository comprises one or more authorization data pertinent to the connection request.
10. The method of claim 2 , wherein the determining step comprises authorizing temporary usage of the communication conduit, wherein the temporary usage expires unless administrative approval is obtained (a) within a pre-determined time-window, (b) before the client sends a pre-determined number of messages, or (c) before the client uses a pre-determined number of distinct contexts, wherein a context comprises a TCP connection or a session.
11. The method of claim 2 , wherein the determining step comprises determining whether the connection request is sent within a pre-determined time-window.
12. The method of claim 11 , wherein the pre-determined time-window comprises one or more weekday peak usage hours.
13. The method of claim 1 , further comprising the step of discarding the connection request when the one or more usage conditions are not met.
14. The method of claim 13 , wherein the identifying the communication conduit comprises identifying a first network address of the client, a second network address of the server, a port number of the communication conduit, and the specific service associated with the port number.
15. The method of claim 1 , further comprising the step of logging a result of the determining step.
16. The method of claim 1 , further comprising the step of notifying a system-administrator of a result of the determining step.
17. A method to be executed by a processor within a network having a client, comprising: intercepting a service-initiation request within the network, wherein the service-initiation request is initiated from the client in order to access a specific service on a server; identifying a request-type corresponding to the service-initiation request and the specific service; identifying one or more service conditions associated with the request-type, wherein the one or more service conditions are defined to permit conditional use of the request-type by the client; and determining whether the one or more service conditions permit the service-initiation request to be sent to the server, and wherein one of the one or more service conditions that would permit the service-initiation request to be sent include a persistent usage condition in which the request-type was previously authorized and a designated time interval for the persistent usage condition has not lapsed.
18. The method of claim 17 , further comprising the step of forwarding the service-initiation request to the server over the network when the one or more service-conditions are met.
19. The method of claim 18 , wherein the determining step comprises identifying a first network address of the server and a second network address of the client.
20. The method of claim 19 , further comprising the step of sending a plurality of DHCP reply messages for binding a first address of a first host to a second address of a second host, the plurality of DHCP reply messages sent to a third host, the server residing on the first host, and the client residing on the third host.
21. The method of claim 18 , wherein the determining step comprises (a) obtaining a confirmation from a human or (b) determining whether the client sent the service-initiation request within an authorized time window.
22. The method of claim 18 , wherein the determining step comprises determining whether a second service-initiation request of a same request-type as the service-initiation request (a) was forwarded to the server at any time prior to the client's sending the service-initiation request (b) was forwarded to the server within a pre-determined time-window prior to the client's sending the service-initiation request, or (c) was forwarded to the server within a specific context, wherein a context comprises a TCP connection or a session.
23. The method of claim 18 , wherein the determining step comprises determining whether a second service-initiation request of one or more pre-determined request-types (a) was forwarded to the server at any time prior to the client's sending the service-initiation request, (b) was forwarded to the server within a pre-determined time-window prior to the client's sending the service-initiation request, or (c) was forwarded to the server within a specific context, wherein a context comprises a TCP connection or a session.
24. The method of claim 17 , further comprising discarding the service-initiation request when the one or more service conditions are not met.
25. The method of claim 24 , wherein the determining step comprises identifying a first network address of the client and a second network address of the server.
26. The method of claim 17 , further comprising the step of logging a result of the determining step.
27. The method of claim 17 , further comprising the step of notifying a system-administrator of a result of the determining step.
28. A system within a network having a client, comprising: a communication proxy for intercepting a connection request within the network, wherein the connection request is initiated from the client to establish a communication conduit between the client and a server in order to access a specific service on the server, wherein the communication proxy comprises one or more processors programmed to execute one or more sequences of instructions, including: identifying the communication conduit corresponding to the client, the server, and the specific service; identifying one or more usage conditions associated with the communication conduit, wherein the one or more usage conditions are defined to permit conditional use of the communication conduit by the client; determining whether the one or more usage conditions permit the connection request to be sent to the server, and wherein one of the one or more usage conditions that would permit the connection request to be sent includes a persistent usage condition in which the communication conduit was previously authorized and a designated time interval for the persistent usage condition has not lapsed.
29. The system of claim 28 , wherein the one or more sequences of instructions executed by the one or more processors of the communication proxy further include (a) obtaining a confirmation from a human, and (b) determining whether the communication conduit was used by the client prior to the client sending the connection request.
30. The system of claim 28 , wherein the one or more sequences of instructions executed by the one or more processors of the communication proxy further include identifying a first network address of the server, a second network address of the client, a port number of the communication conduit, and the specific service associated with the port number.
31. The system of claim 30 , wherein the one or more sequences of instructions executed by the one or more processors of the communication proxy further include sending a plurality of DHCP reply messages for binding a first address of a first host to a second address of a second host, the plurality of DHCP reply messages sent to a third host, the server residing on the first host, and the client residing on the third host.
32. The system of claim 30 , wherein the communication proxy resides in a network element, the network element in a communication path between the client and the server.
33. The system of claim 30 , wherein the communication proxy and the client reside on the same host.
34. The system of claim 30 , wherein the communication proxy and the server reside on the same host.
35. A system within a network having a client, comprising: a service-proxy for intercepting a service-initiation request within the network, wherein the service-initiation request is initiated from the client in order to access a specific service on a server, wherein the service-proxy comprises one or more processors configured to execute one or more sequences of instructions, including: identifying a request-type corresponding to the service-initiation request and the specific service; identifying one or more service-conditions associated with the request-type, wherein the one or more service-conditions are defined to permit conditional use of the request-type by the client; determining whether the one or more service-conditions permit the service-initiation request to be sent to the server, and wherein one of the one or more service-conditions that would permit the service-initiation request to be sent include a persistent usage condition in which the request-type was previously authorized and a designated time interval for the persistent usage condition has not lapsed.
36. The system of claim 35 , wherein the one or more sequences of instructions executed by the one or more processors of the service-proxy further include (a) obtaining a confirmation of the one or more service-conditions being met from a human or (b) determining whether the client set the service-initiation request within an authorized time-window.
37. The system of claim 35 , wherein the one or more sequences of instructions executed by the one or more processors of the service-proxy further include identifying a first network address of the server and a second network address of the client.
38. The system of claim 37 , wherein the one or more sequences of instructions executed by the one or more processors further include sending a plurality of DHCP reply messages for binding a first address of a first host to a second address of a second host, the plurality of DHCP reply messages sent to a third host, the server residing on the first host, and the client residing on the third host.
39. The system of claim 37 , wherein the service-proxy resides in a network element, the network element in a communication path between the client and the server.
40. The system of claim 37 , wherein the service-proxy and the client reside on the same host.
41. The system of claim 37 , wherein the service-proxy and the server reside on the same host.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
March 22, 2004
August 24, 2010
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.